Re: [sleuthkit-users] tsk - get clusters/sectors associated with a file
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] tsk - get clusters/sectors associated with a file
|
From: Brian C. <ca...@sl...> - 2017-01-17 15:19:41
|
The easiest way is to do a "walk" on the file (or attribute). There are a variety of ways of doing this. Either tsk_fs_file_walk() <http://www.sleuthkit.org/sleuthkit/docs/api-docs/4.2/group__fslib.html#ga17bc6f9ac09af7afed905b94d8257494>or tsk_fs_attr_walk() will do it. You can pass in the TSK_FS_FILE_WALK_FLAG_AONLY flag if you care only about addresses. That will be faster because it won't waste time loading file content into the buffer. There is an example callback in tsk/fs/ifind_lib.c (ifind_data_file_act()) that could be a useful starting place. On Mon, Jan 16, 2017 at 11:59 PM, Lloyd <llo...@gm...> wrote: > Hi, > > In tsk, is it possible to get the sectors/clusters associated with a file > using tsk API? If not which part of the source should i refer to get this > information? > > Thanks, > Lloyd > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
